Interview: Strong user awareness and secure passwords – how to get there?

Secure passwords were one of the main topics in blog posts on cyber security trends at the end of last year. While there used to be a consensus in the past that strong passwords should contain upper and lower case letters, numbers and special characters and should be changed regularly, the new guidelines emphasise the importance of passwords as passphrases and authentication mechanisms such as FIDO2.

In the interview with Borut Žnidar, MSc, CISO at Halcom d.d., we discussed the changes in cybersecurity in recent years and how Halcom, a high-quality software solutions developer for the financial sector, addresses cyber security on the front line of defence – how they build user awareness and check password security.

Halcom is a software development company that has been developing innovative and secure payment and financial solutions for three decades. Cybersecurity has been one of your top priorities for many years. You took the CISO position at Halcom four years ago; how has the world of cybersecurity changed since that time?

Three key things related directly to my work have changed. The complexity of attacks has increased, not necessarily technologically but rather socio-technologically, as the human factor has become a critical element of successful attacks. We believe that attacks are not focused only on technology; they are an interplay of several more straightforward approaches. This brings us to the second significant change: attacks on people have become more complex. They are more creative, and the method increasingly takes human nature into account. And the third significant change: our country is no longer on the periphery. We could have considered Slovene as a part of cyber-protection, but now we can no longer rely on it. I recently used ChatGPT to instantly produce an excellent text in Slovene to simulate a fishing attack. People were used to recognising attacks by incorrect Slovene. But not anymore; we must constantly remind ourselves that correct Slovene is not a guarantee for the legitimacy of a message.

Therefore, it is important to remind our employees what our security policy is and how we should act. The primary objective here is not to prevent attacks but to raise awareness. We want them to realise that technology is not the ultimate protection and that they must actively participate in the prevention process. To efficiently block cyber-attack attempts, we have to use a combination of technical solutions and employee awareness skills.

A holistic approach to cybersecurity management includes using security devices and systems effectively, regular testing and verification, and ongoing user education. What has been your main focus in the post-covid time?

Regarding technology, we dedicate more time to ensuring secure remote work. We are trying to protect remote work better and educate users on the subject. When working at home, employees simultaneously connect to corporate services on the corporate network, to corporate cloud services and – whether we want it or not – to private cloud services. Of course, these are not necessarily harmful, but they are private. The security of these three channels must be harmonised, and users should be able to work efficiently.

The aim of security is not to stop users from doing their job but to enable them to do their job safely. I was pleasantly surprised when individuals came to me because they had sensed that something was not set up the way they thought it should be, and they had second thoughts about the security. I believe this is a very positive response because you realise that users consider security important, and you can use these inputs to improve the security of the work environment for everyone. We are also considering introducing additional technical solutions to enhance the control over remote access.

The second part, which is also very important, is to educate and test users with simulated phishing attacks. We use the KnowBe4 platform and are very happy with the results. We run monthly campaigns, and the feedback from users as well as from the management, has been very positive. We have successfully presented our experience with the programme and the results to the entire Halcom group.

What do you think is the weakest point of the IT system? Which attack vector is, in your opinion, the most difficult to detect and block?

At the moment, I think the human factor is the most critical. In Halcom, we are working hard to mitigate this risk, and I believe we are going in the right direction.

In recent months we have had relatively few “clickers” in our phishing attack simulations. We can count them on the fingers of one hand, and we are below the industry average. Furthermore, we see that more than half of our employees have correctly identified and flagged the test phishing message, which I consider a very high percentage. If employees flag phishing emails (test and real), I get a better insight into potential attacks and take action.

So, you pay a lot of attention to training your employees in identifying social engineering attacks. Why did you decide to build your employees in this field systematically?

A few years ago, phishing was generally considered to be a big problem. We first had the idea of writing attack simulations ourselves, but ultimately, we decided to try it with a platform. The price was acceptable, and we decided to take a one-year licence and test it.

Given the results we achieved in the first year, there was no doubt that we would continue with the tests. The response has been good so far, even though there are some clickers with every campaign we send. When the number of clickers increases, we carry out additional activities to raise even more awareness. Once a user has failed a test, they are definitely more cautious in the following months. The platform could probably be used even better, as new educational content is always being added, and new functionalities for integration with other business tools are available. We currently run tests in English, but we also have plans to do them in Slovene. In the last year, we have introduced messages with more complex content as users sharpen their skills, and we adapt the simulations to their abilities.

I would particularly like to highlight the high automation level of the solution, which works smoothly after the initial set-up without daily monitoring.

If we look at the technical side of user awareness, we come to password security. Your company has recently tested the security of your employees’ passwords. Why did you decide to do this test?

About three years ago, we changed our password policy. Previously, we had a policy which enforced complex passwords with lower- and upper-case letters, numbers and special characters. We used to change passwords every three months. We decided to change our password policy a few years ago when the US NIST* announced that such passwords were, on the one hand, not user-friendly and, on the other hand, no more difficult to crack. They recommended longer passwords, preferably in the form of passphrases and without unfriendly complex characters. When we introduced the new policy, I expected some reluctance or opposition from users, as well as from auditors. However, almost none of them complained. We explained to the auditors that the new policy follows the renowned NIST recommendations, which is a reputable institution, and there were no problems.

The fact is that when you introduce a change like this, you do not know how it will work and what the consequences will be. Users changed their passwords; according to our new policy, we change them annually. But we did not know whether we actually had secure passwords. What would happen if someone managed to break into the network?

Therefore, we decided to test the effectiveness of the policy by testing passwords. Besides, during the previous penetration test, some password hashes were caught, and some were also cracked, which was an additional motivation for the test. Therefore, we tested all the passwords stored in our active directory (AD).

You probably had an idea of what the test result would be like before you started the project. To what extent do the actual test results match your expectations? In which direction do the results deviate?

We had no specific expectations. Given that this was the first time we had run the test, I assumed that quite a few passwords would be cracked. But only a few of them were active user passwords, which is the result I was pleased with.

However, we accidentally include old, inactive passwords in the hash database. These passwords were created according to the old password policy. It turned out that there were a lot of cracked passwords among them, so the test confirmed that the change in password policy was a step in the right direction.

Based on the results, have you already implemented any measures to improve password security?

First of all, users whose passwords were compromised changed their passwords accordingly.

We had some concerns about what to do with the compromised passwords. Finally, we decided the test provider would not share the disclosed passwords with us. Users whose passwords were cracked were given the opportunity to contact the test provider to find out why the password could have been cracked.

The feedback from users after the test was very positive, and the examples of cracked passwords also caught some interest. For example, how is it possible that a 24-character password was cracked? Some users shared their experiences with me, and we were able to use the anonymised data in our next internal training on information security and learned a lot from this test. We also got tips from the pentester on how to create reasonably secure passwords that are difficult to crack.

The next step is to repeat the test to check that we have successfully corrected the detected errors.

Finally, a more organisational question. There is a growing emphasis on the importance of managing cyber security “from the top” – at the board and management level. What is your opinion? Is the role of the CISO more a business or a technical one, and what skills are, in your opinion, essential to successfully manage cybersecurity in a large enterprise?

I would say that a CISO is a person who is involved in the company at all levels. You need to have at least some technical knowledge to be able to discuss issues with system administrators and programmers. On the other hand, you need the support of the management to be able to talk to the technicians in the first place.

It also depends on the size of the company. I can be involved in the whole vertical of our company, but in larger companies, the CISO function is often more isolated. From one point of view, this might not be the best option because it makes it harder to supervise the whole company and connect with other employees. In our company, the relationship is built on trust, and tight bonds exist throughout the organisation. This way, monitoring deviations from what we want and taking action is easier.

*NIST: https://www.nist.gov/